Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: captive portal on fortigate to enable a policy...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
captive portal on fortigate to enable a policy from user logged on it...
hello everyone,
i'm new to the forum and was wondering if it was possible to achieve what i asked in the subject.
to summarize...
The will is to have a captive portal, on fortigate, with local authentication, that allows me to steal the public source ip of the user, which will then be enabled, in some ad-hoc policies.
the most likely use, would be to access the firewall configuration interface, where in the policy a specific user is identified, who has just authenticated on the captive portal, coming from the internet...
another situation, the possibility of accessing other devices, such as video devices, with the same system...
thanks.
Labels:
- Labels:
-
FortiGate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello luccosen,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for information, this type of service works regularly on other brands, and I would have liked to leave this service to the customer....
thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello luccosen!
I found this solution. Can you tell me if it helps, please?
To set up a captive portal on FortiGate with local authentication and use the public source IP of the user for policy enforcement, follow these steps:
- Configure Captive Portal:
- Go to `Network > Interfaces`.
- Edit the interface where users will connect (ensure the interface role is set to LAN or Undefined).
- Enable `Security Mode` and configure the captive portal settings.
- Specify the user group that needs to be authenticated. - Create User Group:
- Go to `User & Device > User Groups`.
- Create a user group and add the users who will authenticate through the captive portal. - Configure Firewall Policies:
- Go to `Policy & Objects > Firewall Policy`.
- Create a new policy to allow access to the FortiGate configuration interface or other devices.
- Set the source interface to the one with the captive portal.
- Set the source address to the public IP of the user (this can be dynamically updated based on the user's IP after authentication).
- Set the destination to the FortiGate interface or the specific devices you want to allow access to.
- Set the action to `accept` and configure any additional settings as needed. - Enable Logging and Monitoring: Ensure logging is enabled for the firewall policy to monitor user access and troubleshoot if necessary.
- Test the Configuration: Authenticate through the captive portal and verify that the policies are applied correctly based on the user's public IP.
This setup allows you to control access based on user authentication and their public IP, enabling specific policies for accessing the FortiGate interface or other devices.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, but the customer have one WAN interface fort internet connection... about you configuration, you said that I have to create a newer interface for thi s service with new ip address? or I have to delete/modify the old wan interface? then, how can assign pubblic ip of user that is logged-in? I have to put user as source?
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To implement a captive portal with local authentication on a FortiGate with a single WAN interface, follow these steps:
- Retain Existing WAN Interface: Do not delete or modify your existing WAN interface. You will use it for internet connectivity.
- Configure Captive Portal:
- Go to `Network` -> `Interfaces`.
- Select the interface where you want to enable the captive portal (typically a LAN interface).
- Enable the captive portal and configure it to use local authentication. - Create User Group:
- Go to `User & Authentication` -> `User Groups`.
- Create a user group for the users who will authenticate via the captive portal. - Set Up Firewall Policies:
- Go to `Policy & Objects` -> `IPv4 Policy`.
- Create a policy to allow traffic from the LAN interface to the WAN interface.
- In the policy, specify the source as the user group created earlier.
- For the source address, you can use the public IP of the user if known, or configure the policy to allow traffic from authenticated users. - Assign Public IP: If you need to assign a specific public IP to authenticated users, configure an IP pool and use it in the NAT settings of the firewall policy.
- Testing: Ensure that users can authenticate via the captive portal and that the correct policies are applied based on their authentication status.
This setup allows you to control access based on user authentication without needing to modify your existing WAN interface.
Does it answers your questions? :)
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again, but maybe I explained myself badly in the request,
the need is to have a portal where a user coming from the WAN can authenticate, using the existing WAN connection, and it seems to me that in the WAN interface this thing cannot be done, and thanks to this authentication, the firewall acquires its source IP.
This IP, which is variable based on where it comes from, can then be used, by putting the username inside various policies, allows incoming transit from the WAN only for the aforementioned user, and this authentication must not interfere with existing policies.
The first solution required the creation of a new interface, the second solution I did not understand how it can take the public address of the user, if the interface with the portal is the LAN...
Did I misunderstand? a portal cannot be created on a fictitious lookup interface, where do I land a VIP? and then use the user in some policy?
thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible to set up a user authentication portal via the existing WAN connection that captures the source IP and associates it with user policies. This can be achieved by configuring an external captive portal server using FortiAuthenticator, translating the portal URL to the FortiGate WAN IP, and setting up a Virtual IP (VIP) to map traffic to the internal IP of the captive portal server. This setup allows capturing the user's public address and associating it with user policies.
Note that these answers are from a GPT engine, sorry if it is not really accurate. If it is not, please open a TAC ticket with your configuration and they will be happy to assist you!
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I assume then, that at the moment is impossible to realize, with only a firewalll. I can try to open a TAC.
Luciano.
Labels
-
FortiGate
10,577 -
FortiClient
2,151 -
FortiManager
889 -
5.2
687 -
FortiAnalyzer
680 -
5.4
638 -
FortiSwitch
583 -
FortiClient EMS
560 -
FortiAP
559 -
IPsec
419 -
6.0
416 -
SSL-VPN
375 -
FortiMail
372 -
5.6
362 -
FortiNAC
281 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
192 -
FortiAuthenticator
171 -
FortiGuard
160 -
5.0
152 -
Firewall policy
144 -
FortiGate-VM
129 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
FortiEDR
69 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
certificate
65 -
RADIUS
60 -
LDAP
60 -
fortilink
55 -
SSO
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
47 -
Application control
45 -
FortiDNS
43 -
Interface
43 -
Logging
41 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2587 | |
| 1378 | |
| 796 | |
| 658 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.